PDF malware analysis — malicious · 0bbf4609a3a8c084

MALICIOUS

PDF

248.2 KB Created: 2010-01-20 19:22:20 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))

MD5: 18126b048c81dae803f0cd8b9489d8dd SHA-1: 69aaf60b0d5c97ab3fb37b37a2dfa0959be622cd SHA-256: 0bbf4609a3a8c0849aea248a06735ebfcf147cb9b514b0949a53f34d649da1ff

132 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple embedded URLs that are flagged as unknown reputation, suggesting they are part of a malicious infrastructure. The presence of a hidden HTML iframe and ML classification further indicate malicious intent. ClamAV detection confirms this file is malware, likely a dropper designed to redirect users to malicious sites.

Machine Learning

Nyx PDF Classifier malicious score 0.9369

Heuristics 3

ClamAV: Pdf.Dropper.Agent-7596522-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7596522-0
PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAME

PDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://fuadrenal.com/lib/index.php
- http://reycross.com/lib/index.php
- http://odmarco.com/lib/index.php
- http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_003_off0000c41b.bin` `a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xC41B	264072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.